Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Gaia r80.10 tag vlan 1 and native vlan

Jump to solution

Hello team,

 

I need to add a new subinterface for vlan 1, like:

bond2.1

 

Is there any way to tag vlan 1 in checkpoint? Cisco switches have the possibility to change native vlan for trunk and tag vlan 1 but I cannot find how to match this configuration in checkpoint.

 

Thank you in advance.

Daniel

0 Kudos
2 Solutions

Accepted Solutions
Highlighted
Pearl

Not supported in Gaia as described in sk110096.

View solution in original post

Highlighted
Gold

Please had a look at the discussion here:

https://community.checkpoint.com/t5/General-Topics/Combine-VLAN-and-physical-interface-which-already...

and Creating VLAN interfaces on physical interface, which already has an assigned IP address in SecurePl...

It is not supported having an IP configured on the native interface if tagged VLANs used on that interface.

I know, it will work but you have problems if you need support from the vendor.

Wolfgang

View solution in original post

15 Replies
Highlighted
Nope this is not possible in GAIA.
The native VLAN is what it is and you cannot add a VLAN lower than 2.
Regards, Maarten
Highlighted
Pearl

Not supported in Gaia as described in sk110096.

View solution in original post

Highlighted
Nickel

Thank you all guys.

0 Kudos
Highlighted
Nickel

The SK does not seem to apply R80.10 version. Do you know how can I notify checkpoint to update it?

Thanks!

0 Kudos
Highlighted

At the bottom of each sk there is a "Give us Feedback" window. Enter your comments into that window and click "Submit". A Content Developer from the SK Team will be assigned to take care of your feedback.

0 Kudos
Highlighted

Please make sure you are logged in with your User Center credentials if you would like to hear back from us.

0 Kudos
Highlighted

One last comment: I am not sure why you thought sk110096 applies to R80.10. It clearly states the following versions:

R75.40, R75.40VS, R75.45, R75.47, R76, R76SP, R76SP.10, R76SP.10_VSLS, R76SP.20, R76SP.30, R77, R77.10, R77.20, R77.30.01

No R80.x here so actually nothing is wrong with the sk...

 

0 Kudos
Highlighted
@Ronen_Zel this is not supported in any version of GAIA so INCLUDING R80.x, that is why the SK should be adjusted.
Regards, Maarten
Highlighted

The "Versions" field is now updated to "All".

Highlighted
Copper

I had this issue about 2 years ago when I migrated all my gateways from 1Gb interfaces to 10Gb and started trunking on the 10G interfaces. For some reason a predecessor of mine thought it to be a good idea and use VLAN 1 as an ID for the main subnet. 

I didn't realize that a bond0.1 could not be used until the night of cut over. What I did to work around this was, on the switch side, made the native VLAN on the interface to be 1, and allowed all the other VLAN's I wanted to tag. So the IP on my main bond0 would be the native IP on VLAN 1.

Highlighted
Nickel

Good workaround, I have configured L3 at bond interface too then change native vlan to be ID 1 at the switch side.

Thank you!

 

0 Kudos
Highlighted
Copper

Glad it worked! 

0 Kudos
Highlighted
Gold

Please had a look at the discussion here:

https://community.checkpoint.com/t5/General-Topics/Combine-VLAN-and-physical-interface-which-already...

and Creating VLAN interfaces on physical interface, which already has an assigned IP address in SecurePl...

It is not supported having an IP configured on the native interface if tagged VLANs used on that interface.

I know, it will work but you have problems if you need support from the vendor.

Wolfgang

View solution in original post

Highlighted
Copper

I have a question here. If adding an IP address to the main interface that is utilizing VLAN tagging is not supported, and the support of VLAN ID 1 as a tagged VLAN is not supported. What is the suggestion on how to handle this? Burn another interface for a single VLAN when the use of VLAN ID 1 may be used in someones environment? 

Understood that it is not best practice to use VLAN ID 1, but when it is already used in a network from predecessors that may not have done things, the best way, and changing the VLAN ID from 1 to something else may be a huge lift for some individuals and/or organizations (as this may pertain to access ports changing, vSwitch on ESX, etc.). What is the recommendation? I'm not refuting the fact that not using it is the right move, and or not adding an IP to a main interface that is using tags is not supported. My question is really about what the recommendation would be in this situation to possible help others in the future before they get into this situation. 

Highlighted
Pearl

Correct. Use a separate interface and attach it natively to your switch. Then have your switch route it into Vlan 1.